o 

00 
00 

to 



(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(12) 



(H) EP1 168 870 A1 

EUROPEAN PATENT APPLICATION 



(43) Date of publication: 

02.01.2002 Bulletin 2002/01 

(21) Application number: 00311405.5 

(22) Date of filing: 19.12.2000 



(51) Int CI 7: H04Q 7/38 



(84) Designated Contracting States: 


(72) Inventors: 


AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


• Marcovlci, Michael 


MC NLPTSETR 


Wheaton, Illinois 60187 (US) 


Designated Extension States: 


• Mizikovsky, Semyon B. 


AL LT LV MK RO SI 


Morganville, New Jersey 07751 (US) 


(30) Priority: 13.06.2000 US 592337 


(74) Representative: 




Buckley, Christopher Simon Thirsk 


(71) Applicant: LUCENT TECHNOLOGIES INC. 


Lucent Technologies (UK) Ltd, 5 Mornington 


Murray Hill, New Jersey 07974-0636 (US) 


Road 




Woodford Green, Essex IG8 0TU (GB) 



(54) An improved method for an authentication of a user subscription identity module 



(57) A method for improving an establ ished Authen- 
tication and Key Agreement procedure which prevents 
rogue mobiles from fraudulently gaining access to a 
communication system. The communication system pe- 
riodically broadcasts a challenge interrogation message 
requesting that a mobile, which is currently validated to 
use the system, to authenticate itself to the system. The 
mobile computes an authentication response based on 
information known only to the communication system 
and the USIM of the mobile and transmits said response 
to the communication system. The communication sys- 
tem also computes an authentication response and 
compares said response with that received from the mo- 
bile, A mobile is authenticated by the communication 
system when the two authentication responses are 
equal. Otherwise, the mobile is not given access to the 
communication system. 
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Description 

Background of the Invention 
Field of the Invention 

[0001] The present invention generally relates to se- 
curity schemes used in communication system and 
more particularly to an improvement to a security 
scheme for the authentication of a portion of a mobile 
known as User Subscription Identity Modules. 

Description of the Related Art 

[0002] The security of information conveyed over 
communication systems is a main source of concern for 
service providers. Subscribers of communication sys- 
tems many times transmit and receive very sensitive 
and private information intended for specific parties. 
Service providers want to give their subscribers a cer- 
tain degree of confidence in the security capabilities of 
the communication system. Consequently, different se- 
curity schemes have been developed and are being 
used in current communication systems. One security 
scheme, used particularly in third generation wireless 
communication systems, is referred to as the Authenti- 
cation and Key Agreement (AKA) procedure. The AKA 
procedure is a security scheme that not only authenti- 
cates a subscriber and generates security keys, but it 
also validates received subscriber information to ensure 
that such information was not improperly modified at 
some point in the communication system prior to the re- 
ception of such information. Third generation wireless 
communication systems digital voice and relatively high 
speed data; these communication systems typically 
convey information in accordance with standards estab- 
lished by standards organizations such as the American 
National Standards Institute (ANSI) orthe European Tel- 
ecommunications Standards Institute (ETSI). 
[0003] Referring now to FIG. 1 , there is shown a por- 
tion of a wireless communication system. Communica- 
tion link 1 02 couples Home Location Register (HLR) 1 00 
to a base station 104 that is part of a Serving Network 
(SN). The SN is a communication system or part of a 
communication system that is providing services to sub- 
scribers. Base station 1 04 communicates with subscrib- 
ers (e.g., mobile 108) via wireless communication link 
1 06. For ease of illustration, only one base station of the 
SN is shown and also only one mobile is shown. HLR 
100 is part of system equipment (owned and operated 
by the service provider) that performs mobility manage- 
ment for the communication system. Mobility manage- 
ment is the proper handling of subscriber traffic and the 
calculation of various parameters associated with the 
AKA procedure. For example, a mobility manager de- 
tects the initiation of call by a subscriber and also knows 
the subscriber's location and which base station is serv- 
ing such a subscriber. The mobility manager can then 



inform the base station serving the subscriber making 
the call as to which base station the call is to be deliv- 
ered. 

[0004] HLR 100 contains subscriber specific data 
5 records including identification and authentication infor- 
mation for mobiles of all subscribers of the communica- 
tion system. Base station 1 04 contains, inter alia, typical 
radio equipment for transmitting and receiving commu- 
nication signals and other equipment for processing 

10 subscriber and system information. For example, base 
station 104 contains a Visitors Location Register (VLR) 
(not shown) which receives security related information 
from the HLR and derives additional security related in- 
formation which is then transmitted to the proper mobile. 

*5 The VLR also receives security related information from 
mobiles which it processes to authenticate communica- 
tion between mobiles and the base station. The process 
of authentication is described herein in the discussion 
of the AKA procedure. Mobile 108 represents typical 

20 subscriber communication equipment (e.g., cell phone, 
wireless laptop pc) that transmits and receives system 
information and subscriber information to and from the 
base station. The system information is information that 
is generated system equipment to operate the commu- 

25 nication system 

[0005] Mobile 108 has a User Subscription Identity 
Module (USIM) portion that is interfaced to the rest of 
the mobile equipment. The interface between the USIM 
and the mobile is standardized so that any USIM built 

30 in accordance with an interface standard can be used 
with any mobile equipment which is also configured in 
accordance with the same interface standard. Typically, 
the USIM is attached to the mobile as a storage device 
containing an ID number and other mobile identification 

35 data unique to a particular subscriber. Thus, part of the 
information stored in the HLR is also stored in the USIM. 
The USIM is capable of communicating with the rest of 
the mobile equipment commonly referred to as the shell 
or the mobile shell. Many publicly accessible mobiles (e. 

40 g., taxi cell phones) can be used by a subscriber insert- 
ing a USIM (also known as a "smart card") into the mo- 
bile. The information stored in the USIM is transferred 
to the mobile shell allowing the mobile to gain access to 
the communication system. Another type of arrange- 
r's ment between a USIM and a mobile shell is to integrate 
the USIM into the circuitry of the mobile shell. A mobile 
with an integrated USIM is typically owned by an indi- 
vidual subscriber and the communication system uses 
the information stored in a mobile's USIM to identify and 

so confirm that the mobile has property obtained access to 
the SN. 

[0006] When a mobile wishes to gain access to a com- 
munication system, it must first be recognized as an au- 
thorized user of the communication system and then it 
55 executes an AKA procedure with the system equipment. 
As a result of the AKA procedure, the mobile's USIM 
generates two keys: (1) an Integrity Key (IK) used to 
compute digital signatures of information exchanged 
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between the mobile and the base station. The digital sig- 
nature computed with the IK is used to validate informa- 
tion integrity. The digital signature is a certain pattern 
which results when the proper IK is applied to any re- 
ceived information. The IK allows the authentication of 
information exchanged between the base station and 
the mobile; that is, the IK is applied to received informa- 
tion resulting in the generation of a digital signature in- 
dicating that the received information was not modified 
(intentionally or unintentionally) in any manner; (2) a ci- 
phering key (CK) is used to encrypt information being 
transmitted over communication link 106 between base 
station 1 04 and mobile 1 08. Encryption of information 
with the ciphering key ensures privacy. 
[0007] Both the IK and the CK are secret keys estab- 
lished between the base station and the mobile to es- 
tablish a valid security association. A valid security as- 
sociation refers to a set of identical data patterns (e.g., 
IK, CK) independently generated by a USIM (coupled to 
a mobile) and a serving network indicating that the USIM 
is authorized to have access to the SN and the informa- 
tion received by the mobile from the SN is from an au- 
thorized and legitimate SN. A valid security association 
indicates that a mobile (i.e., the mobile's USIM) has au- 
thenticated itself to the SN and the SN has been authen- 
ticated by the mobile (i.e., the mobile's USIM). When the 
IK and CK- independently generated by the serving net- 
work and the mobile's USIM-are not identical, the se- 
curity association is not valid. The determination of 
whether IK and CK computed at the SN are identical to 
the IK and CK computed at a USIM of a mobile is dis- 
cussed infra. The USIM transfers the IK and CK to the 
mobile shell which uses them as described above. The 
IK and CK at the network are actually computed by the 
HLR. The HLR sends various information to the VLR 
and the mobile during an AKA procedure and generates, 
inter alia, the IK and CK, which it forwards to the VLR. 
[0008] In a current standard (3GPP TSG 33.1 02) for 
third generation wireless communication systems, an 
authentication security scheme that uses an AKA pro- 
cedure has been established. The information needed 
to execute the AKA procedure is contained in a block of 
information (stored in the HLR) called the Authentication 
Vector (AV). The AV is a block of information containing 
several parameters, namely: RAND, XRES, IK, CKand 
AUTN. Except for the AUTN and RAND parameters, 
each of the parameters is generated by the application 
of an algorithmic non-reversible function f n \o RAND and 
a secret key, Kj. An algorithmic non-reversible function 
is a specific set of steps that mathematically manipu- 
lates and processes information such that the original 
information cannot be regenerated with the resulting 
processed information. There is actually a group of non- 
reversible algorithmic functions which are used to gen- 
erate various parameters used in the AKA procedure; 
the various parameters and their associated functions 
are discussed infra. K, is a secret key associated with 
subscriber / (where / is an integer equal to 1 or greater) 



and which is stored in the HLR and in subscriber i's 
USIM. RAND is a random number uniquely specific to 
each AV and is selected by the HLR. XRES is the Ex- 
pected Mobile Station Response computed by the USIM 

5 of a mobile by applying a non-reversible algorithmic 
function to RAND and Kj. IK is computed by the USIM 
and the HLR also by the application of a non-reversible 
algorithmic function to RAND and K,. CK is also com- 
puted by both the USIM and the HLR by applying a non- 

io reversible algorithmic function to RAND and Kj. 

[0009] AUTN is an authentication token which is a 
block of information sent to the VLR by the HLR for au- 
thenticating the SN to the mobile, tn other words, the 
AUTN contains various parameters some of which are 

15 processed by the USIM of the mobile to confirm that the 
AUTN was indeed transmitted by a legitimate base sta- 
tion of the SN. AUTN contains the following parameters: 
AK e SON, AMF and MAC. AK is an Anonymity Key 
used for concealing the value of SQN which is a unique 

20 sequence vector that identifies the AV. AK is computed 
by applying a non-reversible algorithmic function to 
RAND and K,. SQN, i.e., the Sequence Number, is in- 
dependently generated by the USIM and the HLR in syn- 
chronized fashion. AMF is the Authentication Manage- 
rs ment Field whose specific values identify different com- 
mands sent from the HLR to the USIM. The AMF can 
be thought of as an in-band control channel. MAC, i.e., 
the Message Authentication Code, represents the sig- 
nature of a message sent between the base station and 

30 the mobile which indicates that the message contains 
correct information; that is, the MAC serves to verify the 
content of messages exchanged between a mobile and 
the SN. For example, MAC = f n (RAND, AMF, SQN, Kj) 
which is a signature of correct values of SQN and AMF 

35 computed with the use of a n on -reversible algorithmic 
function using a secret key Kj and randomized by RAND. 
[0010] For ease of explanation only, the AKA proce- 
dure will now be described in the context of a commu- 
nication system part of which is shown in FIG. 1 . The 

40 communication system shown in FIG. 1 complies with 
the 3GPP TSG33.1 02 standard. Initially, the AV is trans- 
ferred from HLR 100 to the VLR at base station 104 (or 
to a VLR coupled to base station 104). In accordance 
with the standard, the VLR derives XRES from the re- 

45 ceived AV. The VLR also derives AUTN and RAND from 
the received AV and transfers them to mobile 108 via 
communication link 106. Mobile 108 receives AUTN and 
RAND and transfers the RAND and AUTN to its USIM. 
The USIM validates the received AUTN as follows: The 

50 USIM uses the stored secret key (Kj) and RAND to com- 
pute the AK, and then uncovers the SQN. The USIM 
uncovers the SQN by exclusive ORing the received AK 
0 SQN with the computed value of AK; the result is the 
uncovered or deciphered SQN. Then the USIM com- 

55 putes the MAC and compares it to the MAC received as 
a part of the AUTN. If MAC checks, (i.e., received MAC 
= computed MAC) the USIM verifies that the SQN is in 
a valid acceptable range (as defined by the standard), 
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in which case the USIM considers this attempt at au- 
thentication to be a valid one. The USIM uses the stored 
secret key (K,) and RAND to compute RES, CK and IK. 
The USIM then transfers IK, CK and RES to the mobile 
shell and causes the mobile to transmit (via communi- 5 
cation link 106) RES to base station 104. RES is re- 
ceived by base station 1 04 which transfers it to the VLR. 
The VLR compares RES to XRES and if they are equal 
to each other, the VLR also derives the CK and IK keys 
from the Authentication Vector. Because of the equality 
of XRES to RES, the keys computed by the mobile are 
equal to the keys computed by the HLR and delivered 
to the VLR. 

[0011] At this point, a security association exists be- 
tween base station 1 04 and mobile 1 08. Mobile 1 08 and 
base station 1 04 encrypt information conveyed over link 
106 with key CK. Mobile 108 and base station 104 use 
key IK to authenticate information exchanged between 
them over communication link 106. Further, mobile 108 
and base station 104 use IK to authenticate the sub- 
scriber/SN link established for mobile 1 08. The commu- 
nication system uses the IK for authentication; that is, a 
proper value of IK from the mobile during communica- 
tions implies that the mobile has properly gained access 
to the communication system and has been authorized 
by the communication system to use the resources (i. 
e., system equipment including communication links, 
available channels and also services provided by the 
SN) of the communication system (i.e., the SN). Thus, 
IK is used to authenticate the mobile to the SN. The use 
of IK to authenticate the mobile to the SN is called local 
authentication. Since base station 104 and mobile 108 
already have a valid IK, it is simpler to use this valid IK 
instead of having to generate a new one requiring ex- 
change of information between base station 104 and 
HLR 100 (i.e., intersystem traffic) that usually occurs 
when establishing a security association. In other 
words, once a subscriber gains access to a system and 
the subscriber's mobile has been authenticated, the IK 
and CK generated from the authentication process are 
used for information exchanged between the user's mo- 
bile and the base station and for authenticating the sub- 
scriber/SN link without having to re-compute an IK for 
each subsequent new session. Mobile shells, which 
comply with the standard established for the AKA pro- 
cedure, will delete the IK and CK established from the 
authentication process once their USIM are detached. 
However, there are many rogue mobiles (unauthorized 
mobiles that manage to obtain access to a communica- 
tion system) that do not comply with the requirements 
of the standard established for the AKA procedure. 
These rogue mobiles maintain the use of the IK and CK 
keys even when the USIM has been detached from 
them. Because of the use of the local authentication 
technique used in the currently established AKA proce- 
dure, the rogue mobiles are able to fraudulently use the 
resources of a communication system. 
[0012J The following scenario describes one possible 



way in which a rogue mobile (e.g., a Taxi phone) can 
make fraudulent use of a communication system that 
uses the currently established AKA procedure. A sub- 
scriber inserts his or her USIM card into a Taxi phone to 
make a call. Once the mobile is authenticated as de- 
scribed above, the subscriber can make one or more 
calls. When all the calls are completed, the subscriber 
removes the USIM card from the Taxi phone. If the Taxi 
phone is in compliance with the standard, the phone will 
delete the CK and IK of the subscriber. However, if the 
Taxi phone is a rogue phone, it will not delete the CK 
and IK keys of the subscriber. Unbeknownst to the sub- 
scriber, the rogue phone is still authenticated (using lo- 
cal authentication based on IK) even when the subscrib- 
er has removed the USIM card. Thus, fraudulent calls 
can then be made on the rogue phone until the security 
association is renewed. Depending on the service pro- 
vider, the security association can last for as long as 24 
hours. 

[0013] What is therefore needed is an improvement 
to the currently established AKA procedure that will 
eliminate the fraudulent use of a subscriber's authenti- 
cation keys by a rogue mobile. 



[0014] The present invention provides a method for 
an improved AKA procedure that prevents rogue mo- 
biles from improperly and fraudulently use the resources 
of a communication system. Upon the establishment of 
a security association between a mobile and its base 
station, the method of the present invention allows the 
communication system to periodically challenge the au- 
thenticity of a mobile. The challenge may be a global 
challenge to all mobiles being served by the base station 
or the challenge can be a unique challenge to a specific 
mobile being served by the base station. 
[0015] Regardless of the type of challenge presented 
by the base station, the mobile's USIM is able to com- 
pute an authentication response based on information 
available only to the mobile's USIM and the base sta- 
tion's VLR. The authentication response computed by 
the mobile's USIM is passed on to the mobile shell which 
transmits the authentication response to the base sta- 
tion. The received authentication response is then trans- 
ferred to the base station's VLR which compares it to an 
authentication response independently computed by 
the VLR. The mobile is deemed authenticated when the 
VLR's authentication response is equal to the authenti- 
cation response received from the mobile shell. In this 
manner, a security association resulting from the exe- 
cution of an AKA procedure can be periodically validat- 
ed with negligible impact on an already established AKA 
procedure. More importantly, the periodic authentication 
of a security association prevents rogue mobiles from 
fraudulently making use of the system resources. The 
method of the present invention also comprises the ape- 
riodic or continuous or continual challenge of the au- 
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thenticity of a mobile. 

[001 6] The method of the present invention performs 
the following steps: 

An Authentication Vector (AV) is transmitted by the HLR 
to the VLR of the base station. The AV contains several 
parameters used in the execution of the AKA procedure 
including AK, and SQN. Whereas heretofore, AK was 
exclusive ORed (i.e., the operation denoted by " © ") 
with SQN to protect SQN when it is transmitted over a 
publicly accessible communication link between the 
base station and the mobile, AK and SQN are now re- 
ceived by the VLR without being exclusive ORed to each 
other. Alternatively, the AK can be included in the Au- 
thentication Vector in addition to the value represented 
by an exclusive OR of the AK and the SQN. Thus, the 
VLR knows the value of AK. As in the prior art , the VLR 
transmits to the mobile the concealed SQN exclusive 
0 Red with the AK as a portion of the AV called the AUTN 
to initiate the AKA procedure. A random number 
(RAND) generated by the VLR which is needed to initi- 
ate the AKA procedure is also transmitted by the VLR 
to the mobile. The AUTN is transferred from the mobile 
shell to the mobile's USIM. The USIM computes AK but 
does not transfer it to the mobile shell. The AKA proce- 
dure is executed resulting in a security association es- 
tablished between the mobile and the base station. 
[0017] Upon the next access request, or any request 
by a mobile or the base station to make use of the com- 
munication system resources, a local authentication 
challenge is performed between the base station and 
the mobile. The local authentication challenge can also 
be performed during a session wherein the mobile is 
making use of the resources of the communication sys- 
tem. Specifically, the base station transmits a challenge 
interrogation message to the mobile requesting that the 
mobile authenticate itself to the base station. The chal- 
lenge interrogation message can be a unique message 
intended for a particular mobile or it can be a global mes- 
sage requesting all mobiles being served by the base 
station to authenticate themselves to the base station. 
In response, the mobile's USIM computes a local au- 
thentication response (AUTH L ). AUTH L is computed by 
applying a non-reversible algorithmic fanction f n \o AK, 
IK and a RANDU or RAND G parameter. The RANDU 
parameter (i.e., RANDom Unique number) is used when 
the challenge interrogation message is intended for a 
specific mobile. The RAND G parameter is used when 
the challenge is transmitted globally to all mobiles being 
served by the base station. The RANDU or the RAND G 
parameter is transmitted by the VLR as part of the chal- 
lenge interrogation message. Upon transmission of the 
challenge interrogation message to a mobile, the VLR 
of the base station independently computes AUTH L also 
using IK, AK and RANDU or RAND G . 
[0018] The mobile transmits AUTH L to the base sta- 
tion in response to the challenge interrogation message. 
The AUTH L from the mobile is received by the base sta- 
tion and is transferred to the base station's VLR which 



compares the received AUTH L to the AUTH L it has com- 
puted independently. If the two AUTH L 's are equal, the 
mobile's USIM is said to be authenticated rendering the 
security association valid. If the two AUTH L 's are not 
5 equal, the security association is deemed invalid and the 
method of the present invention prevents the mobile 
from having access to the resources of the communica- 
tion system. 

10 Brief Description of the Drawings 

[0019] 

FIG. 1 depicts a portion of a wireless communica- 
15 tion system; 

FIG. 2 shows the steps of the method of the present 
invention. 

Detailed Description 

20 

[0020] Referring to FIG. 2, there is shown the steps 
of the method of the present invention which will now be 
described in the context of FIG. 1 . The method of the 
present invention applies to the AKA scheme defined by 

25 the 3GPP TSG 3.102 standard and to other standards 
that use an AKA scheme. For example, the method ap- 
plies to various communication systems whose archi- 
tectures are defined by the ANSI-41 standard. Such 
communication systems include but are not limited to 

30 Wide band CDMA systems (W-CDM A), TDM A (Time Di- 
vision Multiple Access) systems, UMTS (Universal Mo- 
bile Telecommunications System) and third generation 
GSM (Global System for Mobile communications) sys- 
tems defined by ETSI. In step 200, the AKA procedure 

35 js initiated; this procedure is initiated either when a mo- 
bile (e.g., 108) wants access to the service network or 
the service network has received a call for mobile 108 
and wants to set up a call between the mobile and an- 
other party. In any event, in step 200, HLR 1 00 transmits 

40 an AV signal over system link 1 02 to Base Station 1 04. 
A VLR (not shown) at base station 1 04 receives the AV 
over communication link 1 02 which is not accessible to 
any subscribers of the communication system. The AV, 
which normally contains several parameters including 

45 AK © SQN, is now sent with a clear value for AK. Unlike 
in the prior art where the base station receives the AV 
containing a ciphered combination of SQN and AK (i.e., 
AK © SQN), the method of the present invention allows 
the VLR to know the individual value of AK by allowing 

50 the HLR to transfer AK to the base station (i.e., the VLR) 
in the clear. In other words, AK is no longer exclusive 
ORed with SQN as required by the current AKA proce- 
dure. Alternatively, AK © SQN and AK can both be sent 
to the VLR from the HLR. Thus, once the VLR at base 

55 station 104 receives the AV from HLR 100, the VLR 
stores the value of AK. 

[0021] The AV, which in addition to other parameters 
contains SQN, AK, MAC and AMF, is received by the 
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base station's VLR which masks the SQN with the AK 
thus assembling the ciphered value of the SQN. This 
ciphered SQN is transmitted by the base station as part 
of the AUTN signal along with a RAND signal to mobile 
108. In particular, the VLR ciphers the SQN (i.e., per- 
forms AK © SQN) thus disguising the AK, completes as- 
sembly of the AUTN, and transmits the authentication 
request as an AUTN signal along with a RAND signal to 
mobile 108. Mobile 108 transfers the received AUTN 
along with the RAND signal to Its USIM for validation 
and generation of security parameters which define the 
establishment of a security association. 
[0022] In step 202, the parameters IK and CK are gen- 
erated by the USIM as in the prior art. In particular, the 
USIM generates RES from f 2 (RAND, Kj); note that f 2 is 
also used in generating XRES . The USIM generates IK 
from the computation f 3 (RAND, Kj), generates CK from 
the computation f 4 (RAND, Kj) and AK from the compu- 
tation f 5 (RAND, K|). It will be readily understood that the 
set of non-reversible algorithmic functions used to com- 
pute the parameters is chosen as per the communica- 
tion standard being followed by the communication sys- 
tem. The particular non-reversible algorithmic functions 
used to describe the computation of certain parameters, 
however, may or may not be consistent with the dictates 
of the standard. Further, the USIM computes the expect- 
ed value of the MAC (using the ^ function) and com- 
pares it to the value received in the AUTN. If the MAC 
is valid, the USIM deciphers individual values of AK and 
SQN and verifies that the SQN value is in an acceptable 
range. Also, in step 202, the VLR receives the IK, CK 
and XRES from the HLR where these parameters were 
computed in the same manner as the USIM. The USIM 
transfers RES, CK, and IK to the shell of mobile 108. 
Mobile 1 08 transmits RES to the base station 1 04 which 
transfers it to its VLR. 

[0023] In step 204, the VLR compares the received 
RES to the calculated XRES and if RES=XRES then the 
CK and IK at the VLR are the same as the CK and IK at 
the mobile and USIM. A valid security association has 
now been established and confirmed for the Subscriber/ 
SN link (i.e., link 1 06) for a certain duration of a session. 
The authenticity of the mobile is thus established mean- 
ing that the mobile has properly gained access to the 
SN by obtaining the proper authorization from the SN to 
user the resources of the SN. The session refers to the 
length of time elapsed during the authentication proc- 
ess, access given to the subscriber, and the subscriber 
making use of the resources. For example, a session 
can be the time elapsed during a telephone call encom- 
passing the time it takes to set up the call as per the 
standard being followed by the communication system, 
the time it takes for the system to give the subscriber 
access to the communication system and the amount of 
time used by the subscriber in making use of the re- 
sources of the communication system by engaging in 
communications (e.g., voice call) with another party. 
[0024] In step 206, at some time during the session, 



the VLR at base station 104 will challenge the authen- 
ticity of the established security association by broad- 
casting a challenge interrogation message. In particular, 
whether mobile 1 08 has obtained authorization from the 

5 system to transmit and receive information to and from 
base station 104 via communication link 106 is being 
challenged; that is, the authorization for the subscriber/ 
serving network link (i.e., information exchanged over 
communication link 106) is being challenged. The chal- 

10 lenge interrogation message can be a global challenge 
in which case the message is broadcast to all the mo- 
biles being served by the base station. Alternatively, the 
challenge interrogation message can be a unique mes- 
sage intended for a specific mobile being served by the 

15 base station. The challenge interrogation message is 
transmitted by the VLR periodically, aperiodically, con- 
tinually or continuously during a session. The challenge 
interrogation messaged can also be transmitted at the 
beginning of each session after a security association 

20 has been established. The challenge interrogation mes- 
sage is the initiation of a local authentication between 
mobile 108 and the SN. The challenge interrogation 
message contains a random number (i.e., RAND G for a 
global challenge or RANDU for a unique challenge) 

25 which is generated by the VLR at base station 1 04. The 
particular format of the challenge interrogation message 
depends on the format defined the standard with which 
the communication system complies. Mobile 108 re- 
ceives the random number and transfers said number 

30 to its USIM. The USIM applies a non-reversible algorith- 
mic function to the IK, AK parameters and the random 
number (i.e., RAND G or RANDU) to compute a local au- 
thentication response called AUTH L . In particular, for a 
global challenge AUTH L =/ n (RAND G , AK), K and for a 

35 unique challenge AUTH L =/„( RANDU, AK) (K . The non- 
reversible algorithmic function used to compute AUTH L 
can be any one from the group of function (f n where n 
is an integer equal to 1 or greater) defined by the stand- 
ard being followed by the communication system. The 

40 VLR at base station 104 independently computes AU- 
TH L in the same manner. Because AK is known only to 
the VLR and the USIM, the AUTH L cannot be computed 
by a rogue phone since such a phone does not have 
access to AK; thus the local authentication is performed 

« on information (i.e., AK) known only to the SN and the 
mobile's USIM. The authentication response (AUTH L ) 
computed by the USIM is transferred to the mobile shell 
which transmits it (e.g., by attaching it to messages 
transmitted to the base station) to base station 104. 

50 Base station 104 transfers the received AUTH L to the 
VLR which compares it to its independently computed 
AUTH L . 

[0025) In an alternative embodiment of the method of 
the present invention, the USIM of mobile 108 transfers 
55 AUTH L to the shell of mobile 1 08. The mobile shell com- 
putes a parameter called a MAC-I using IK and AUTH L . 
The mobile shell then transmits MAC-I to the base sta- 
tion which transfers MAC-I to the VLR. The VLR, which 
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independently computes its own MAC-I (also using IK 
and AUTHJ, and compares it to the received MAC-I. 
Thus, MAC-I is used for the dual purposes of local au- 
thentication and to validate content of information ex- 
changed between the mobile and the SN. By using 5 
MAC-I, there is no need to attach AUTH L to messages. 
[0026] In step 208, the session and the mobile (i.e., 
the mobile's USIM) are authenticated if the two AUTH L 's 
(or MAC-I's) are equal; that is, when the AUTH L (or 
MAC-I) computed by the VLR is equal to the AUTH L (or 10 
MAC-I) received from mobile 108 and computed by the 
mobile's USIM. The VLR thus confirms the authenticity 
of an already established link (i.e., SN/Subscriber link 
established) between mobile 108 and base station 104 
or allows a link to be established; that is, the method of *5 
the present invention has now moved back to step 204. 
The mobile is given access to the resources of the com- 
munication system, or in the case of an already estab- 
lished link, the mobile continues to have access to the 
resources of the communication system. If the VLR can- 20 
not authenticate the SN/Subscriber link (i.e., received 
AUTH L or MAC-I is not equal to AUTH L or MAC-I calcu- 
lated by VLR), the method of the present invention 
moves to step 21 0 wherein the mobile is prevented from 
having access to the SN; that is, the link is dropped and 25 
the CK and IK associated with the link are no longer ac- 
cepted by the SN (i.e., base station 104). The security 
association is no longer valid and the mobile is not given 
access to the resources of the communication system. 
Therefore, a rogue mobile, which has no USIM is not 30 
able to authenticate itself to the communication system 
and thus is not able to fraudulently make use of the re- 
sources of the communication system. 



Claims 

1. A method for authenticating a mobile to a Serving 
Network, the method 

CHARACTERIZED BY the steps of: 40 

establishing a security association between the 
mobile and the Serving Network thus authenti- 
cating the mobile to the Serving Network; 
challenging the authenticity of the mobile; and 
preventing the mobile from having access to 
the Serving Network when the mobile cannot 
authenticate itself to the SN. 
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